Child Domains and GPO's

[Guest]

I want to add a user from a child domain to a Group on the parent domain. Is
this possible?

More info: I have an exchange server in the Child domain and a number of
accounts in the child domain used to administer the exchange server. There
was a group created in the parent domain when installing exchange named
Exchange Admins. I would like to give the child domain users full exchange
admin rights but do not want to give them parent domain accounts.

Thanks for the help.

E

 

[Herb Martin]

I want to add a user from a child domain to a Group on the parent domain. Is
this possible?

Yes. There is an automatic (domain) trust
between each parent and child domain and
these are transitive so in effect every domain
of the forest trusts every other.

More info: I have an exchange server in the Child domain and a number of
accounts in the child domain used to administer the exchange server. There
was a group created in the parent domain when installing exchange named
Exchange Admins. I would like to give the child domain users full exchange
admin rights but do not want to give them parent domain accounts.

Create a Global group in the domain with users
and place this group in the Local group Exchange
Admins* (in whichever domain holds it.)

I am presuming this is a Local group of your parent
domain.

BTW, this has nothing to do with GPOs (directly).

GPO inheritance does NOT flow across domain
boundaries (i.e., down domain trees.)

If you wish to use a GPO in multiple domains you
must either (preferred) copy it to and link it to each
domain OR (usually poor choice) Link to each domain
from the source domain.

The latter is technically a legal choice but don't do it
that way.

Example: 4 domains, you must (still) LINK it 4 times
if you wish it to apply throughout the forest.

 

[Chriss3 [MVP]]

GPOs can be linked to Site objects. Sites can contain multiple domains, then
the particular gpo will be applied to multiple domains or objects within
multiple domains. The limination is its only available to domains within
same forest.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup

 

[Guest]

Thanks Guys!

Herb, That worked. I created a global group in the child domain, added the
users to it then I was able to add that group to the "Exchange Admins" group
in the parent domain.

Thanks again.

E

GPOs can be linked to Site objects. Sites can contain multiple domains, then
the particular gpo will be applied to multiple domains or objects within
multiple domains. The limination is its only available to domains within
same forest.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup

 

[Herb Martin]

GPOs can be linked to Site objects.

True but irrelevant to inheritance across domains boundaries.

Sites can contain multiple domains,

Not really true -- site neither contain domains nor
do domains contain sites.

The machines for a domain may be in a single site
of course, but the concept doesn't apply to domains.

Microsoft specifically invented sites to help BREAK
the direct connection between Domains and Locations.

then
the particular gpo will be applied to multiple domains or objects within
multiple domains.

The second is the case -- to the machines in a domain,
in no way is it linked to the domain and a (very) few
items MUST be linked at the domain level to have an
effect.

The limination is its only available to domains within
same forest.

???

 

[Herb Martin]

Herb, That worked. I created a global group in the child domain, added
the

users to it then I was able to add that group to the "Exchange Admins" group
in the parent domain.

Thanks again.

You are most welcome -- pass it on to others.